Behavioral Baselines

Anomaly Detection

Changes in behavior are identified in near real-time, and compared to sensitivity settings you control for prioritization.

Actionable Intelligence

Alerts are triggered on anomalies most indicative of insider threat in your organization, and rich activity data is stored for rapid review.

Your organization is, and will be, compromised by insiders.

Regardless of industry or company size, the fact is that people have become the perimeter. If you are not specifically looking for insider attacks, you are missing them. Veriato Recon combines analysis of technical indicators and psycholinguistic indicators to provide early warning of threats to your data security. An attacker, no matter how sophisticated, will cause a deviation from established patterns.

Elegantly Simple Tuning

Provides you with the ability to alert on meaningful behavioral changes, without contributing to over-alert syndrome.

Behavioral Groups

After a short training period, Veriato Recon identifies groups of users based on observed behavior to enable more accurate baselines. Behaviors evaluated include resource and application access and usage.

Anomaly Detection

Alerting

Alerts are routed to your SIEM or other 3rd party data aggregation solution via direct connections or via syslog. You can also choose to receive alerts directly, on a frequency you control.

Veriato Recon looks at a wide range of user attributes and evaluates for indicators of compromise

Indicators of Compromise

Compromise has a long history of providing insight into user activity. We understand the ways a true insider can exfiltrate data, as well as how hackers can lever compromised credentials to ‘become an insider’, and we watch for the changes in behavior that indicate your data security is at risk. This includes data access and movement, as well as credential usage activity and a range of additional attributes.

Psycholinguistic Attributes

Because Veriato Recon can see into the communications fabric of your organization, it is able to watch for changes to language usage that are known indicators of insider activity. The way people think, act, and communicate are linked. Shifts in to me and intensity and changes in language usage are detected, providing additional richness that aids in identification and prioritization of threats.

Common Uses

Data Leak Prevention

Specifically designed to augment traditional DLP and other preventative security measures, Veriato Recon identifies insider risk and threat to data security by watching for changes in data access and movement. A robust data security strategy requires focus on device, data, and user.

IP Theft

Malicious insiders and departing employees target valuable intellectual property. Veriato Recon not only alerts on the deviations in data movement that occur when IP is taken, it creates a system of record that supports best practices related to the threat that exists when employees leave.

High Risk Insiders

The behaviors of highly privileged users, employees involved in negative workplace events, and contractors need to be more closely inspected and monitored to protect against a damaging attack. Veriato Recon evaluates behavior shifts in near real-time, so security teams can focus resources where they can be most effective.

In addition, when Veriato Recon detects a meaningful anomaly in behavior, it’s a simple process to engage the power of Veriato 360 to quickly review the underlying user activity data – so you get the intelligence you need to act quickly and appropriately.

I own Veriato 360. Do I get the user behavior analytics functionality?

No. User behavior analytics is a function of Veriato Recon, and requires a Recon license.

How do I view the underlying activity data in Veriato Recon?

Veriato Recon logs the data it collects so it is available if you need it. Accessing the underlying activity data requires a Veriato 360 license. For many organizations, Veriato Recon stand-alone meets their goals. Organizations that recognize the benefits of combining User Behavior Analytics with User Activity Monitoring frequently purchase “floating” Veriato 360 licenses along with Veriato Recon. These floating licenses can be moved throughout the organization, so when the need arises to view the underlying data it is a quick and easy process to do so.

What is the difference between using an endpoint license rather than a floating license to unlock the data recorded by Recon?

If an endpoint license is used to unlock the recon recorded data, then this license cannot be used again on a different computer; it can only be used on the same computer. If a floating license is used to unlock the recon recorded data, once that machine is set back to recon mode, then the floating license can be used again on a different computer.

How long does Veriato Recon store the user activity data it logs?

The data can be stored for up to 30 days. On the 31st day data is logged, the first day’s activity log rolls off. The 30-day temporary retention period supports the best practice of reviewing the online activity of departing employees for the 30 days prior to notice of resignation, or prior to termination.

Does Veriato Recon take a user's behavior across multiple computers into consideration?

Yes, when a user uses more than one computer, transactional / metadata is shipped to the central database so that their behavior across each computer they use can be combined to generate an appropriate baseline of their behavior.

How does Veriato Recon’s baselining account for vacations, days off, or other similar schedule changes?

The solution has intelligence built in that allows it to, with no manual configuration, accommodate for users who log in for a full workday, partial workday or don't log in at all.